"common" administrative security group is removed by user

I am marking this as Incomplete from the observation below.

neutron API does not allow to add/remove a specific security group. When a regular user would like to update security groups of a neutron port, they needs to specify a whole set of security groups.
Such regular user cannot know security group(s) assigned by admin (you mentioned in the bug report), so this is not specific to horizon.

If you really would like to have this feature in OpenStack, I would suggest you to discuss this with Nova/Neutron team.

As my neutron core hat this usage is not intended. It just works for nova security group API which has been deprecated a long ago. neutron-fwaas has a concept of shared firewall groups and I believe this is designed to support a feature you want.

More information

If a regular user want to add a security group to a server after admin added a common (hidden) security group to the server, the regular user no longer calls "openstack server add security group". This looks confusing. See the line of the link: http://paste.openstack.org/show/735989/

In addition, (common? hidden?) security groups assigned by admin can be cleared easily.
"openstack port set --no-security-group 5d2b8ff7-1a92-4b57-972a-6c9402f9a083" does it. This is the intended behavior in the neutron API. http://paste.openstack.org/show/735990/

My general suggestion is not to depend on this behavior.

Hi shared firewall groups would indeed solve my problem.

My (other issue) is that I can only make it work within l3 in openstack.
E.g it works behind qrouters, or with floating ips.

My private cloud set up uses openvswitch and has external l3. Is l2 firewalling with openvswitch supported? "Supports L2 firewalling (VM ports)" https://docs.openstack.org/newton/networking-guide/fwaas.html
or must it go through openstack managed l3, as I assume?

Jesper, how is comment #3 related to horizon?

This is not a horizon bug now. Marking this as Invalid.